The invention relates to computer security and particularly to computer security when a user has lost or forgotten the user password.
Many personal computers (PCs) or workstations allow a user to secure data and information stored in a computer by requiring the user to enter a password previously defined by the user. The password is used to limit access to data stored on the computer.
In one type of security system encryption is used to transform xe2x80x9cplaintextxe2x80x9d data into a form unintelligible to anyone who does not have a decryption key. Data is thus kept private and away from those for whom it is not intended. The password may serve as a decryption key or a means for obtaining the decryption key.
To regain access to encrypted data, the user, often at logon, must type in the user password exactly as he/she previously defined it. The user password is then used to decrypt the data. However, without the user password, access to the data cannot generally be gained.
In a centralized network situation, when a user forgets his/her password, a system administrator can give the user access to his/her files by overriding the user password function through a backdoor access, or, if passwords are centrally stored, obtaining the password for the user. However, with a freestanding PC or workstation, unlike with networks, there is no centralized administration or access to passwords, and loss of a user password in an independent PC or workstation situation can be devastating.
Typically, if a user forgets the user password, for unlocking all files the entire computer product must be removed/replaced and/or the data encrypted with the password must be erased since it is unintelligible without a decryption key. Generally, loss of a user password in such a situation will cause the user to lose a significant amount, if not all, of the user""s protected data.
Thus, it is desirable to develop a system which allows a user to gain access to his/her computer data even if the user has forgotten the password. However, because data security is of prime significance to users who use passwords, it is also desirable to allow a user to override password protection to data in a way that does not significantly compromise the security of the data.
In accordance with the invention a method of securely and automatically authenticating a user is disclosed. Bona fides are entered for a user, hashed, and then stored at an authenticating entity, remote from the user""s computer. When a user forgets his/her password, the user enters his/her bona fides, which are again hashed on the user""s system, and then securely transmitted to the authenticating entity. The authenticating entity compares the received, hashed bona fides to those previously stored at the authenticating entity. If the comparison shows that the values match or otherwise appropriately correlate, the user will be authenticated. The user will then be provided with the means to access his/her encrypted data. In other words, once authenticated the authenticating entity will automatically provide the user and/or the user""s computer with an access key, in one embodiment, allowing the user to access his/her encrypted data.
Such a method is advantageous in that it can minimize the live-human resources dedicated at the authenticating entity to responding to lost-password inquiries. In fact, in utilizing the present invention, no human need be present at the authenticating entity to grant a user access to his/her data, and yet the granting of such access is granted remains secure.